Cross border - off-shoring and outsourcing privacy sensitive data
Upcoming SlideShare
Loading in...5
×
 

Cross border - off-shoring and outsourcing privacy sensitive data

on

  • 374 views

Cloud, Cross-Border, Off-Shoring, Outsourcing, Privacy, Sensitive Data

Cloud, Cross-Border, Off-Shoring, Outsourcing, Privacy, Sensitive Data

Statistics

Views

Total Views
374
Views on SlideShare
374
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cross border - off-shoring and outsourcing privacy sensitive data Cross border - off-shoring and outsourcing privacy sensitive data Presentation Transcript

    • Cross-Border - Off-Shoring and Outsourcing Privacy Sensitive Data Ulf Mattsson, CTO Protegrity ulf.mattsson AT protegrity.com
    • Ulf Mattsson, CTO Protegrity 20 years with IBM • Research & Development & Global Services Inventor • Encryption, Tokenization & Intrusion Prevention Involvement • PCI Security Standards Council (PCI SSC) • American National Standards Institute (ANSI) X9 • Encryption & Tokenization • International Federation for Information Processing • IFIP WG 11.3 Data and Application Security • ISACA New York Metro chapter 2
    • 3
    • Cloud 4
    • Cloud Services Services usually provided by a third party • Can be virtual, public, private, or hybrid Increasing adoption – up 12% from 2012* Often an outsourced solution, sometimes cross-border Allows for greater accessibility of data and low overhead *Source: GigaOM
    • Cloud Services and Models Source: NIST, CSA
    • Drivers for Data Security 7
    • Drivers for Data Security Regulations & Laws • Payment Card Industry Data Security Standard (PCI DSS) • National Privacy Laws • Cross-Border & Outsourcing Privacy Laws Expanding Threat Landscape • Hackers & APT • Internal Threats & Rogue Privileged Users • Excessive Privilege or Security Negligence Sensitive Data Insight & Usability • Unprotected Sensitive or Restricted Data is Unusable for Marketing, Monetization, Outsourcing, etc. Vulnerabilities in Emerging Technologies 8
    • Regulations & Laws PCI DSS 9
    • PCI Data Security Standards Council Founded in 2006, comprised of four major credit card brands Each card brand enforcement program issues fines, fees and schedule deadlines • Visa's Cardholder Information Security Program (CISP) http://www.visa.com/cisp • MasterCard's Site Data Protection (SDP) program http://www.mastercard.com/us/sdp/index.html • Discover's Discover Information Security and Compliance (DISC) program http://www.discovernetwork.com/fraudsecurity/disc.html • American Express Data Security Operating Policy (DSOP) http://www.americanexpress.com/datasecurity 10
    • PCI DSS Build and maintain a secure network. 1. 2. Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data. 3. 4. Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Maintain a vulnerability management program. 5. 6. Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement strong access control measures. 7. 8. Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data 9. Regularly monitor and test networks. Maintain an information security policy. 11 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
    • PCI DSS 3.0 Protection of cardholder data in memory Clarification of key management dual control and split knowledge Recommendations on making PCI DSS business-asusual and best practices Security policy and operational procedures added Increased password strength New requirements for point-of-sale terminal security More robust requirements for penetration testing 12
    • PCI DSS Cloud Guidelines Relevant to all sensitive data that is outsourced to cloud 1. Clients retain responsibility for the data they put in the cloud 2. Public-cloud providers often have multiple data centers, which may often be in multiple countries or regions 3. The client may not know the location of their data, or the data may exist in one or more of several locations at any particular time 4. A client may have little or no visibility into the controls 5. In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers 13
    • Regulations & Laws National Privacy Laws 14
    • National Privacy Laws - USA Heath Information Portability and Accountability Act – HIPAA 1. Names 11. Certificate/license numbers 2. All geographical subdivisions smaller than a State 12. Vehicle identifiers and serial numbers 3. All elements of dates (except year) related to individual 13. Device identifiers and serial numbers 4. Phone numbers 14. Web Universal Resource Locators (URLs) 5. Fax numbers 6. Electronic mail addresses 7. Social Security numbers 15. Internet Protocol (IP) address numbers 8. Medical record numbers 16. Biometric identifiers, including finger prints 9. Health plan beneficiary numbers 17. Full face photographic images 10. Account numbers 15 18. Any other unique identifying number
    • Privacy Laws 54 International Privacy Laws 30 United States Privacy Laws 16
    • National Privacy Laws - India Information Technology Act – 2000 (IT Act) • Requires that the corporate body and Data Processor implement reasonable security practices and standards • IS/ISO/IEC 27001 requirements recognized Information Technology Act – 2008 (Amended IT Act) • Damages for negligence and wrongful gain or loss • Criminal punishment for disclosing Sensitive Personal Information (SPI) India Privacy Law – 2011 • Expanded definition of SPI to passwords, financial data, health data, medical treatment records, and more Right to Privacy Bill – 2013 (Proposed) • Increased jail terms & fines for disclosure of SPI • Addresses data handled for foreign clients 17
    • Regulations & Laws Cross-Border & Outsourcing Laws 18
    • Cross-Border & Outsourcing Laws The laws of the sending country apply to data sent across international borders, including outsourced operations • i.e. National Privacy Laws APEC Cross-Border Privacy Laws • Non-binding privacy enforcement in Asia-Pacific region 19
    • Expanding Threat Landscape
    • Cyber Criminals Cost India USD 4 Billion Source: Symantec 2013 21
    • 22
    • http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf 23
    • Sensitive Data Insight & Usability 24
    • Vulnerabilities in Emerging Technologies 25
    • Holes in Big Data… Source: Gartner 26
    • Many Ways to Hack Big Data BI Reporting RDBMS Hackers Pig (Data Flow) Hive (SQL) Sqoop Unvetted Applications Or Ad Hoc Processes MapReduce (Job Scheduling/Execution System) Hbase (Column DB) HDFS (Hadoop Distributed File System) Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 27 Avro (Serialization) Zookeeper (Coordination) ETL Tools Privileged Users
    • The Insider Threat 28
    • Sensitive Data Insight & Usability Big Data and Cloud environments are designed for access and deep insight into vast data pools Data can monetized not only by marketing analytics, but through sale or use by a third party The more accessible and usable the data is, the greater this ROI benefit can be Security concerns and regulations are often viewed as opponents to data insight 29
    • Big Data Vulnerabilities and Concerns Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 30
    • Cloud Vulnerabilities and Concerns Public cloud security is often not visible to the client, but client is still responsible for security Greater access to shared data sets by more users creates additional points of vulnerability Data redundancy for high availability, often across multiple data centers, increases vulnerability Virtualization can create numerous security issues Transparency and data insight are required for ROI How do you lock this? 31
    • Data De-Identification 32
    • What is de-identification of identifiable data? The solution to protecting Identifiable data is to properly deidentify it. Personally Identifiable Information Health Information / Financial Information Personally Identifiable Information Health Information / Financial Information Redact the information – remove it. The identifiable portion of the record is de-identified with any number of protection methods such as masking, tokenization, encryption, redacting (removed), etc. The method used will depend on your use case and the reason that you are de-identifying the data. 33
    • Identifiable Sensitive Information Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 937-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services 34 Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification
    • De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services 35 Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification
    • How Should I Secure Different Data? Use Case Tokenization of Fields Encryption of Files Simple – Card Holder Data PII PCI Personally Identifiable Information Complex – Protected Health Information I Un-structured 36 PHI I Structured Type of Data
    • Research Brief Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization nonusers 37 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
    • Vaultless Tokenization & Data Insight The business intelligence exposed through Vaultless Tokenization can allow many users and processes to perform job functions on protected data Extreme flexibility in data de-identification can allow responsible data monetization Data remains secure throughout data flows, and can maintain a one-to-one relationship with the original data for analytic processes 38
    • Use Cases for Coarse & Fine Grained Security 39
    • Off-shoring & Outsourcing
    • Privacy Impacts BPO & Offshore Business Solutions Business Process Outsourcing (BPO) • Business Processes • E.g. Loans, Mortgages, Call Centre, Claims Processing, ERP, etc. • Application Development • Need to de-identify Data for Testing and Development Off-Shoring • Same as Outsourcing, but data is sent for business functions (like call center, etc.) off-shore. Laws governing your ability to send real data to 3rd parties are already restrictive, and becoming more so Penalties for infringement are growing more severe Risk of data breaches and data theft is increased 41
    • Examples Major Bank in EU wants to centralise EDW operations in a single country and therefore send customer data from country A to country B. Privacy Laws in country A prohibit this. Private Bank in Europe wants to offshore Finance Operations. Privacy Law prohibits transfer of citizen data to India. Retail Bank in Scandinavia wants to offshore Customer Services. Privacy law prevents transfer of citizen data to the Far East. 42
    • Case Studies
    • Protegrity Use Case: UniCredit CHALLENGES The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
    • Case Study - Large US Chain Store Reduced cost • 50 % shorter PCI audit Quick deployment • Minimal application changes • 98 % application transparent Top performance • Performance better than encryption Stronger security 45
    • Case Study: Large Chain Store Why? Reduce compliance cost by 50% • 50 million Credit Cards, 700 million daily transactions • Performance Challenge: 30 days with Basic to 90 minutes with Vaultless Tokenization • End-to-End Tokens: Started with the D/W and expanding to stores • Lower maintenance cost – don’t have to apply all 12 requirements • Better security – able to eliminate several business and daily reports • Quick deployment • Minimal application changes • 98 % application transparent 46
    • Please contact us for more information Ulf.Mattsson@protegrity.com www.protegrity.com